Sensative Data Processing Addendum ("DPA")

Rev A 2024-07-13

1. Scope, priority and parties.

This Data Processing Addendum ("DPA") applies to the Processing of Personal Data that Sensative AB and its Affiliates perform on Your behalf in the provision of Sensative products ("Products") and technical support services or consulting services ("Services"). The Products and Services are described in the relevant license and/or service agreement and the applicable Product and Services License Agreement (collectively, the "Agreement"). In the event of a conflict between the terms of the Agreement and this Data Protection Agreement, the terms of this Data Processing Agreement shall prevail. In the event of a conflict between the terms of this DPA and the EU Standard Contractual Clauses, any National SCC Addendum, and/or entered into a DPA with a Customer, the terms of the EU Standard Contractual Clauses, a National SCC Addendum and/or entered into a DPA with a Customer shall prevail. This Data Processing Agreement is between the end customer ("You") and Sensative AB ("Sensative") and is incorporated by reference into the Agreement.

2. Roles of Data Controller and Data Processor.

For the purposes of this Data Processing Agreement (DPA), You are the Data Controller for the Personal Data processed by Sensative under the terms of the Agreement. You are responsible for complying with your obligations as a Data Controller under applicable Data Protection Law governing your provision of Personal Data to us for the performance of the Products and/or Services, including but not limited to obtaining any consents, providing required notices, determining the legal basis, and responding promptly to any requests from a data protection authority. Unless otherwise provided in the Agreement, You will not give us access to any personal data that imposes higher data protection requirements than those agreed in the Agreement and this DPA, and You will limit our access to personal data to the extent necessary for Your use of the Products and Services under the Agreement. Sensative is the Data Processor and service provider in relation to such personal data, except when You are acting as a Data Processor of personal data, in which case we are a Sub-Processor. Sensative is responsible for the processing of Usage Data only for our legitimate business interests in accordance with the Agreement. Each party shall comply with its respective obligations as a Data Controller and Data Processor under applicable Data Protection Legislation.

3. Definitions.

3.1 In addition to the terms defined in the running text, in this DPA, these definitions, whether used in the plural or singular, in definite or indefinite form, shall have the following meanings when they are given with an uppercase letter

Treatment

Any operation or set of operations with respect to Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Protection Legislation

Refers to all privacy and personal data legislation, as well as other legislation, regulations and regulations applicable to the Processing that takes place under this DPA, including national and EU legislation such as GDPR.

Data Controller

Any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

Instruction

The written instructions specifying in more detail the subject, duration, nature and purpose, type of Personal Data, as well as categories of Data Subjects and special needs covered by the Processing.

Log Log is the result of logging.

Logging

Logging is a continuous collection of information about the Processing of Personal Data that is carried out in accordance with this DPA agreement and that can be linked to an individual natural person.

Data Processor

Natural or legal person, public authority, agency or other body that Processes Personal Data on behalf of the Controller.

Personal Information/Personal Data

Any information relating to an identified or identifiable natural person, in which case an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or online identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity.

Registered

Natural person whose Personal Data is processed.

Third countries

A state that is not part of the European Union (EU) or is not a member of the European Economic Area (EEA). Sub-Counsel A natural or legal person, public authority, institution or other body that, in its capacity as a subcontractor to the Data Processor, Processes Personal Data on behalf of the Data Controller.

4. Processing of personal data and specification.

4.1 The Data Controller of this DPA hereby appoints Sensative to carry out the Processing on behalf of the DPA as stipulated in this DPA Agreement. 4.2 The Data Processor may only carry out the Processing in accordance with the DPA Agreement and the Instructions in force from time to time.

5. Responsibilities of the Data Controller.

5.1 You are responsible for ensuring that there is a legal basis for the Processing at all times so that Sensative and any Sub-Processor can fulfil their assignment(s) under this DPA Agreement. 5.2 You decide what personal data You give us access and/or store in the Products and/or Services. This may involve processing personal data such as:

• Directly identifying data such as first name, last name, date of birth and home address.
• Communication data such as home telephone number, mobile phone number, email address, postal address and fax number.
• Employment information such as employer, work address, work email and phone, job title, employee ID, system username, and password.
• Other data such as IP address, geo-locations, sensor data and/or control data.
• Other personal data that you give us access to in connection with the use of Sensative Products or Services. 5.3 The Data Controller shall, without undue delay, inform Sensative of changes in the Processing that affect Sensative obligations under the Data Protection Legislation. 5.4 The Data Controller is responsible for informing the Data Subjects about the Processing and for safeguarding the Data Subject's rights under the Data Protection Legislation and for taking any other measures that are the responsibility of the Data Controller under the Data Protection Legislation

6. Sensative obligations as a Data Processor.

6.1 Sensative and all persons acting under its authority under this DPA, including sub-processors and affiliates, will process personal data only for the purpose of performing the Products and/or Services in accordance with your written instructions set out in the Agreement, this DPA, your product configurations and in accordance with applicable Data Protection Legislation. We may also aggregate personal data as part of the Products and/or Services to provide and improve Sensative Products and Services. We will not disclose personal information in response to a subpoena, judicial or administrative order, or other binding instrument (a "Demand") unless required to do so by law. We will promptly notify you of any Claim unless prohibited by law and provide you with reasonable assistance to facilitate your prompt response to the Claim. We may provide personal data to affiliates in connection with an anticipated or actual merger, acquisition, sale, bankruptcy or other reorganization of all or a portion of our business, subject to the obligation to protect personal data in accordance with the terms of this DPA. 6.2 Sensative undertakes to take measures to protect the Personal Data against any kind of Processing that is not in accordance with the DPA Agreement, Instructions and Data Protection Legislation.
6.3 Sensative undertakes to ensure that all natural persons working under its management comply with the DPA Agreement and the Instructions and that the natural persons are informed of relevant legislation.

7. Security measures.

7.1 Sensative shall take all appropriate technical and organizational security measures required by the Data Protection Legislation to prevent Personal Data Incidents, by ensuring that the Processing complies with the requirements of the General Data Protection Regulation and that the Data Subject's rights are protected.
7.2 Sensative shall continuously ensure that the technical and organizational security in connection with the Processing entails an appropriate level of confidentiality, integrity, availability and resilience. 7.3 Sensative shall, through access control systems, only grant access to the Personal Data to such natural persons who work under Sensative's direction and who need the access to be able to perform their duties.
7.4 Sensative undertakes to continuously Log access to the Personal Data in accordance with the DPA Agreement to the extent required by the Instruction. Logs shall be subject to the necessary safeguards, in accordance with Data Protection Legislation.

8. Confidentiality/professional secrecy.

8.1 Sensative and all natural persons working under Sensative's management must comply with both confidentiality and professional secrecy in the Processing. The personal data may not be used or disseminated for other purposes, either directly or indirectly, unless otherwise agreed. 8.2 Sensative shall ensure that all natural persons working under Sensative's direction, who participate in the Processing, are bound by a confidentiality agreement regarding the Processing. However, this is not required if they are already covered by a sanctioned duty of confidentiality that follows from law. Sensative also undertakes to ensure that there are confidentiality agreements with the Sub-Processor as well as confidentiality agreements between the Sub-Processor and all natural persons working under its management, who participate in the Processing. 8.3 Sensative shall promptly notify the Data Controller of any contacts with supervisory authorities regarding the Processing. Sensative is not entitled to represent the Data Controller or act on behalf of the Data Controller vis-à-vis supervisory authorities in matters relating to the Processing. 8.4 If the Data Subject, supervisory authority or third-party requests information from Sensative regarding the Processing, Sensative shall inform the Data Controller of the matter. Information about the Processing may not be disclosed to the Data Subject, supervisory authority or third party without the written consent of the Data Controller, unless it is stipulated by mandatory law that information must be provided. Sensative shall assist in the dissemination of the information that is covered by a consent or legal requirement.

9 Audit, supervision and audit.

9.1 Sensative shall, without undue delay, as part of its guarantees, pursuant to Article 28.1 of the GDPR, be able to report at the request of the Data Controller what technical and organizational security measures are used in order for the Processing to comply with the requirements of the DPA Agreement and Article 28.3.h of the GDPR. 9.2 Sensative shall, at least once (1) a year, review the security of the Processing through a self-monitoring to ensure that the Processing complies with the DPA Agreement. The results of such self-monitoring shall be communicated to the Controller upon request. 9.3 Sensative shall provide the supervisory authority, or other authority that has the legal right to do so, the opportunity to carry out supervision in accordance with the authority's request in accordance with the legislation in force at any given time, even if such supervision would otherwise be in conflict with the provisions of the DPA Agreement.
9.4 Sensative shall ensure that the Data Controller has rights vis-à-vis the Sub-Processor that correspond to all of the Data Controller's rights vis-à-vis Sensative pursuant to Section 9 of the DPA Agreement. 9.5 In the event that the information You request from Sensative does not comply with Your obligations under applicable Data Protection Legislation, You may conduct an audit of our processing of your personal data up to once a year or as otherwise required by applicable Data Protection Legislation.
9.6 To request an audit, You must provide us with a detailed audit plan proposal three weeks in advance, and we will work with you in good faith to agree on a final written plan.
9.7 Audits shall be carried out at your expense, during regular working hours, without disrupting our operations and in accordance with our security rules and requirements.
9.8 Prior to any audit being conducted, we undertake to provide you with reasonably requested information and related evidence to comply with your audit obligations, and you undertake to review this information before conducting any independent audit. If any part of the requested scope of the audit is covered by an audit report issued to us by a qualified third-party auditor within the last twelve months, the parties agree that the scope of your audit shall be reduced accordingly. 9.9 You may use a third-party auditor with our consent, which shall not be unreasonably withheld. Prior to conducting any third-party audit, such auditor shall be required to sign an appropriate non-disclosure agreement with us. If the third party is your supervisory authority that is entitled under applicable law to audit us directly, we will cooperate with and provide reasonable assistance to the supervisory authority in accordance with applicable Data Protection Law. 9.10 You will provide us with a copy of any final report unless prohibited by applicable Data Protection Law, treat the results as confidential information in accordance with the terms of the Agreement (or any confidentiality agreement entered into between you and Sensative), and use it solely for the purpose of assessing our compliance with the terms of the Agreement, this DPA and applicable Data Protection Legislation.

10. Handling of corrections and deletions, etc.

10.1 In the event that the Data Controller has requested correction or deletion due to the Data Processor's incorrect Processing, Sensative shall take appropriate action without undue delay, no later than within thirty (30) days, from the time Sensative has received the required information from the Data Controller. When the Data Controller has requested deletion, Sensative may only carry out Processing of the Personal Data in question as part of the process of rectification or deletion. 10.2 If technical and organizational measures (e.g. upgrades or troubleshooting) are taken by Sensative in the Processing, which may affect the Processing, Sensative shall inform the Data Controller of this in writing in accordance with the provisions on notices in section 18 of the DPA Agreement. The information must be provided well in advance of the measures taken.

11. Personal data breaches.

11.1 Sensative shall have the ability to restore the availability and access to the Personal Data in a reasonable time in the event of a physical or technical incident pursuant to Article 32.1.c of the GDPR. 11.2 Sensative undertakes, taking into account the nature of the Processing, and the information available to Sensative, to assist the Data Controller in fulfilling its obligations in the event of a Personal Data Breach regarding the Processing. Sensative shall, at the request of the Data Controller, also assist in investigating suspicions of any unauthorized Processing and/or access to the Personal Data.
11.3 In the event of a Personal Data Breach of which Sensative has become aware, Sensative shall notify the Data Controller of the incident in writing without undue delay. Sensative shall, taking into account the type of Processing and the information available to Sensative, provide the Data Controller with a written description of the Personal Data Breach.
11.4 The description shall explain: a. The nature of the personal data breach and, if possible, the categories and number of Data Subjects
concerned, as well as the categories and number of personal data items concerned; b. the likely consequences of the Personal Data Breach, and c. measures taken or proposed and measures to mitigate the potential adverse effects of the Personal Data Breach. 11.5 If it is not possible for Sensative to provide the full description at the same time, according to clause 11.3 of the DPA Agreement, the description may be provided in installments without undue further delay.

12. Sub-Processors.

12.1 Sensative has the right to engage the Sub-Processor(s).
12.2 Sensative undertakes to sign a written agreement with the Sub-Processor that regulates the Processing that the Sub-Processor performs on behalf of the Data Controller and to only engage Sub-Processors that provide sufficient guarantees. The Sub-Processor shall implement appropriate technical and organizational measures so that the Processing complies with the requirements of the Data Protection Legislation. With respect to data protection, the Agreement shall impose on the Sub-Processor the same obligations as are imposed on Sensative in this DPA.
12.3 Sensative is fully responsible for the Sub-Processor's Processing towards the Data Controller.
12.5 Sensative has the right to engage new sub-processors and replace existing Sub-Processors.
12.6 When Sensative intends to engage a new or replace an existing Sub-Processor, Sensative shall ensure the Sub Processor's capacity and ability to fulfil its obligations. The Data Processor shall notify the Data Controller in writing of a. the Sub-Processor's name, corporate identity number and registered office (address and country); b. the type of data and categories of Data Subjects that are processed, and c. where the Personal Data is to be processed. 12.7 The Data Controller has the right to object within thirty (30) days from the date of notification in accordance with section 12.6 to Sensative's hiring of a new Sub-Processor and, due to such objection, to terminate this DPA Agreement to terminate in accordance with what is stipulated in the DPA Agreement, section 15.
12.8 Sensative shall at all times maintain a correct and updated list of the Sub-Processors engaged for the Processing of Personal Data on behalf of the Data Controller and make this list available to the Data Controller. The list shall in particular state in which country the Sub-Processor processes the Personal Data and the types of Processing that the Sub-Processor performs.
12.9 When Sensative ceases to use a Sub-Processor, the Data Processor shall notify the Data Controller in writing thereof. Sensative shall, when an agreement is terminated, ensure that the Sub-Processor deletes or returns the Personal Data.

13. Location and transfer of personal data to third countries.

13.1 Sensative shall ensure that the Personal Data is handled and stored in such a way that the scope set out in section 1 of this DPA Agreement is met. For the fulfilment of a DPA agreement within the EU/EEA, the Personal Data shall be handled and stored within the EU/EEA by a natural or legal person established within the EU/EEA, unless the parties to the DPA agreement agree otherwise.
13.2 Sensative is only entitled to transfer Personal Data to Third Countries for Processing (e.g. service, support, maintenance, development, operation or similar processing) if the Data Controller has previously approved such transfer in writing and issued Instructions for this purpose.
13.3 Transfer to a Third Country for Processing under the DPA Agreement, section 13.2, may only take place if it is in accordance with the Data Protection Legislation and meets the requirements for the Processing set out in the DPA Agreement and the Instructions.

14. Liability for damage in connection with processing.

14.1 In the case of compensation for damage in connection with Processing which, by established judgment or settlement, is to be paid to the Data Subject due to a breach of any provision of the DPA Agreement, Instructions and/or the applicable provision of the Data Protection Legislation, Article 82 of the GDPR shall apply. 14.2 Fines under Article 83 of the GDPR shall be borne by the party to the DPA to whom such fine has been imposed. 14.3 If either party becomes aware of a circumstance that may lead to damage to the other party, the party shall inform the other party of the circumstance without undue delay and actively work together with the other party to prevent and minimize such damage.
14.4 Notwithstanding anything to the contrary in the Agreement, this DPA Agreement, paragraphs 14.1 and 14.2, shall take precedence over any other rules on the allocation between the parties of claims between themselves with respect to the Processing.

15. Measures in the event of termination of the DPA agreement.

15.1 Following termination of the Agreement and/or the DPA Agreement, Sensative shall, without undue delay, depending on the Data Controller's choice, either delete and certify to the Data Controller that it has been performed, or return a. any Personal Data Processed on behalf of the Controller; and b. all associated information such as Logs, Instructions, system solutions, descriptions and other documents obtained by Sensative through information exchange under the DPA Agreement.
15.2 In connection with return, Sensative shall also delete existing copies of Personal Data and associated information. 15.3 The obligation to delete or return Personal Data or associated information does not apply if the storage of the Personal Data or the information is required by Union law or relevant national law where Processing may be carried out under the DPA Agreement. 15.4 If Personal Data or associated information is returned, it shall be done in a commonly used and standardised format, unless the parties have agreed on another format.
16.5 Until the data is deleted or returned, Sensative shall ensure compliance with the DPA. 16.6 Returns or deletions under the DPA Agreement must be completed no later than thirty (30) calendar days from the date of termination of the DPA Agreement, unless otherwise stated in the Instructions. Processing of Personal Data that Sensative performs thereafter is to be regarded as unlawful Processing. 15.7 The provisions on confidentiality/professional secrecy in section 8 shall continue to apply even if the DPA agreement otherwise ceases to apply.

16. Notices under this DPA and instructions.

16.1 Notices of the DPA Agreement and its administration, including termination, shall be sent by email or in any other manner agreed by the parties to each party's contact person for the DPA Agreement.
16.2 Notices of the parties' cooperation on data protection regarding the Processing shall be sent by email or in another manner agreed by the parties to each party's contact person for the parties' cooperation on data protection.
16.3 A notice shall be deemed to have reached the recipient no later than one (1) business day after the notice has been sent.

17. Responsibility for information about the parties and contact persons as well as contact details.

17.1 Each party is responsible for ensuring that the information set out in Section 1 of the DPA Agreement is always up to-date and accurate. 17.2 Any change of information in Section 1 shall be notified to the counterparty in accordance with clause 18.1 of the DPA Agreement.

18. Choice of law and disputes.

18.1 In the interpretation and application of the DPA Agreement, Swedish law applies, with the exception of the conflict of law rules. Disputes arising from the DPA Agreement shall be settled by the competent Swedish court.

19. Contact.

You can contact our global Chief Privacy Officer (CPO) through your contact person for the Agreement or at the address Chief Privacy Officer, Sensative AB, Mobilvägen 10, 223 62 Lund, Sweden.

20. Terms.

This DPA is effective upon purchase of the Products and Services. Termination of the Agreement does not relieve either party of its obligations under this DPA.